If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

f%$king zeus...

I have some variant of the Zeus virus on my system. I have Avira and have it set to auto update, auto scan every 24 hr.. But this variant of Zeus does not seem to be found by Avira.
Since I don't want to give up yet and reimage my system, I'm using a different system to log on to my financial sites and use ebay / paypal so as to avoid my login info being harvested.

Something I'm noticing may or may not be related...

When I issue the netstat command at a prompt I get what seems to be port loops.
Below is an example of the output from netstat, and the number of "loops" like the one below varies from time to time. Port numbers vary also. I do have Spybot installed, and use the passive protection features to modify my hosts file. I'm guessing these "loops" are foiled attempts from malware / spyware to download more of its kind to my system?
I'm not really understanding the need for my PC to talk to itself outside of the OS??

Found the following writeup on Zeus. This is actually a member of the Trojan.Zbot family. I didn't have enough time to go through it in detail but it may provide you some insight as to what's going on and how to get rid of it.

Zeus is a NASTY bot. I just attended a presentation outlining some of its features. I would highly suggest reimaging the machine. One of the bot's main features is to steal credentials. It is highly sophisticated, and can get around several security measures [secureID, security questions, captchas, etc]. If you are in an organization, I would suggest checking the other machines on the network.

\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

•Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
•If that doesn’t work, reboot your PC into safe mode with networking (use F8 right before Windows starts to load)
•Try to use the free, portable version of SUPERAntiSpyware to remove the viruses.
•Reboot your PC and go back into safe mode with networking.
•If that doesn’t work, and safe mode is blocked, try running ComboFix. Note that I’ve not yet had to resort to this, but some of our readers have.
•Install MalwareBytes and run it, doing a full system scan. (see our previous article on how to use it).
•Reboot your PC again, and run a full scan using your normal Antivirus application (we recommend Microsoft Security Essentials).

Slightly OT, but I have heard that a lot of Malware infections can be mitigated if you disallow executables from running from &#37;temp% and c:\windows\temp. This can easily be done with software restriction policies, either in the local policy editor, or group policy.

I think I will give it a shot when I get back to work, and see if anything blows up on me. :-P

\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

None of which really means anything if your not even logged into the proper account to begin with.

Thats why most malware these days GetTokenInformation through the advapi32 library to check if your admin or not. Then popup a dialog box along the lines of, "Pretty please... disable UAC and run this as admin. I dare you!"

netstat -ao or just o .. so that you get process (ID) that is establishing the connection.

or

use TCPview by Systeminternals

Use process explorer (systeminternals) to take a copy of the exe file and either directly send it to avira or check it on virustotal.com to see if avira and others have a detection for it.

Stop using the machine till there is an update and the malware is removed from the machine.

I'm going to try this solution, thanks ByTeWrangler... I got rid of it temporarily... or thought I did because for a while, I did not get the fake ebay page after login. But then after a reboot I tested again and the browser injection/redirection was happening again. I think whatever program I was scanning / cleaning with got rid of one copy but didn't remove the registry entry or some other copy. Hadn't tried anything with safe mode.

I'll try to get a copy of the infected executable and submit it to Avira. I put my trust in the software for quite some time and have never had a problem. But like many people say, "don't put all your eggs in one basket".

I have tried so many different programs its hard to remember which one temporarily did the trick... but I've been using TRK pretty frequently on customer systems. It's nice that the scripts run different scanners sequentially, but I haven't read up on automating the updating and scanning of all engines without user interaction.

Personally, I generally try to remove malware in safe mode, as it does tend to limit some things that might otherwise start.

You might also look at CCleaner as it can wipe some of the places that malware can lurk. It also has a registry cleaning utility so you might get some mileage if you can kill the malware and then run both the cleaner and the registry fixer.